Policy Pulse - Issue #16 | Week of May 23, 2026
Peter G. Neumann, who moderated the ACM RISKS Forum for 41 years and helped found the discipline of secure-systems research, died May 17 at 93. CISA opens a public KEV nomination form. Cloudflare publishes its Project Glasswing post-mortem.
Policy Pulse - Issue #16 | Week of May 23, 2026
Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.
Top Story
Peter G. Neumann, 1932 to 2026: The Conscience of Computer Security
Peter G. Neumann died on May 17 at age 93. For more than five decades from the same office at SRI International, he chronicled what computers do to people, what people do to computers, and what the industry kept refusing to learn. John Markoff's New York Times obituary traces an arc that runs through Multics at Bell Labs in the 1960s, the founding of the ACM RISKS Forum on August 1, 1985, his 1995 book Computer-Related Risks, and the DARPA-funded CHERI hardware capability architecture now being commercialised by the CHERI Alliance. He moderated the RISKS Digest continuously for 41 years across 34 volumes, ending with Volume 34 Issue 91 in April 2026. He was still working full time on Pentagon-supported secure-system design when he died.
Neumann's signature contribution was not a single result but a stance. He insisted, against industry custom, that recurring computer failures were not unfortunate accidents but predictable consequences of the way systems were being built and sold. "I'm fundamentally an optimist with regard to what we can do with research," he told Markoff, "but I'm fundamentally a pessimist with respect to what corporations do, because they're always working on short-term appearance." He believed the answer was hardware foundations, formal methods, and a culture that took disclosure and post-mortem seriously rather than treating each failure as one-off. He kept naming the pattern for forty years while most of the industry kept pretending each fresh disaster was unforeseeable.
For the disclosure community he is one of the people who made the work thinkable. The RISKS archive was, before there was a word for it, a public coordinated-disclosure infrastructure: a place where researchers, operators, and ordinary affected users could put failures on the record without permission from the vendor. Whitfield Diffie described Neumann to the Times as "one of the last of the old guard and a pointer to the future." Patrick Lincoln, director of DARPA's Information Innovation Office, said Neumann was willing to work "behind the scenes without credit" and that "the world is just so much a better place for having had Peter." We agree.
Why it matters for VDP: Neumann's RISKS Forum was a four-decade demonstration that public, archived, named-author reporting on computer failures is a load-bearing piece of the security ecosystem. Every modern VDP program inherits that premise. The work he did on CHERI and on Multics-style compartmentation is the architectural answer to the vulnerability-abundance result we cover further down: when bugs are effectively unbounded, you stop counting them and start containing them.
Upcoming Deadlines & Events
| Date | Agency | Event / Deadline | Action Required | Link |
|---|---|---|---|---|
| May 28, 2026 | CISA | KEV nomination form intake open (rolling) | Researchers and vendors with exploitation evidence can submit through the new Qualtrics form | Nomination form |
| May 30, 2026 | NIST | CSF 2.0 implementation examples comment period closes | Practitioner feedback on AI-profile implementation examples | CSRC drafts |
| June 11, 2026 | European Commission | EU CRA notifying authority designations due | EU member states must notify designated conformity-assessment bodies | CRA portal |
| June 30, 2026 | EU member states | NIS2 first compliance audit deadline | Designated essential and important entities complete first audit cycle | NIS2 directive |
| Rolling | CISA | KEV catalog updates (six within prior two weeks of May 21) | Federal agencies track BOD 22-01 remediation deadlines | KEV catalog |
The KEV nomination form is the actionable item this week. If you triage submissions and you have exploitation evidence that has not yet made the catalog, send it in. The pipeline is now public.
This Week in Policy
AI & Emerging Tech Security
- Cloudflare publishes Project Glasswing post-mortem on Mythos Preview: On May 18, Cloudflare CISO Grant Bourzikas published "Project Glasswing: what Mythos showed us", the company's first detailed account of testing Anthropic's Mythos Preview against more than fifty internal Cloudflare repositories. The headline finding is that Mythos chains "several small attack primitives together into a working exploit," writes proof-of-concept code in a scratch environment, compiles it, runs it, and iterates when tests fail, behaviour Bourzikas compares to "the work of a senior researcher." Cloudflare's policy position: any future generally-available cyber-capable frontier model "must include additional safeguards on top of this baseline behavior," and defenders should prioritise architectural compartmentation over patch-speed because "make exploitation harder for an attacker even when a bug exists" is the only stable equilibrium. Why it matters for VDP: this is a vendor that just did proof-of-exploit work with an AI in its own codebase and is publishing the result. Programs need to decide whether they accept AI-authored submissions, how they verify them, and whether their researcher-of-record fields are equipped for that. Throwback: in Issue #15 we framed Project Glasswing alongside OpenAI's Daybreak as the structural pattern. The Cloudflare write-up is the first detailed customer-side account.
Federal Strategy & Regulation
- House Science Environment Subcommittee holds water-sector cyber hearing: On May 21 at 2 PM, the Environment Subcommittee of the House Committee on Science, Space, and Technology held "Research-Driven Resilience: Applying Science to Secure U.S. Water Systems from Cyber Threats," chaired by Rep. Scott Franklin with full-committee Chairman Brian Babin opening. Witnesses included David Hinchman (GAO Director, IT and Cybersecurity), Virginia Wright (Idaho National Lab, Cyber-Informed Engineering), Joshua Corman (Institute for Security and Technology), and Nicole Tisdale (Advocacy Blueprints). Testimony focused on the more than 50,000 community water systems, most serving small populations, that operate on decades-old ICS hardware predating the threat model. Why it matters for VDP: water-sector ICS operators are exactly the population that does not have a VDP today. Federal hearings like this are where the appropriations and the EPA rulemaking that would change that get framed. Researchers working on water-sector vulnerabilities should track Corman's and Tisdale's submitted testimony as the practitioner-facing position.
CVE & Vulnerability Programs
-
CISA opens public KEV nomination form: On May 21, CISA announced a new public nomination form letting technology vendors, independent researchers, and "anyone else" submit candidates for the Known Exploited Vulnerabilities catalog. Submitters provide CVE number, evidence of exploitation, mitigation guidance, and scope across vendors. Chris Butera, CISA's acting executive assistant director for cybersecurity, said the capability "enhances CISA's ability to identify, validate, and quickly share critical threat information." The catalog held roughly 1,600 entries at announcement and had been updated six times in the prior two weeks. Why it matters for VDP: this is the first time KEV has had a documented public intake. Until now the catalog was a trailing indicator gated on CISA's internal sourcing. Researchers with exploitation evidence (especially those whose vendors are slow to coordinate) now have a federal escalation path that does not require knowing someone at CISA. Add it to your disclosure-pathway documentation.
-
Leverett and van der Ham-de Vos prove vulnerability counts are unbounded: On April 8 (revised May 1), Eireann Leverett (Concinnity Risks) and Jeroen van der Ham-de Vos (DIVD, NCSC-NL, University of Twente) posted "Vulnerability Abundance: A formal proof of infinite vulnerabilities in code" to arXiv, constructing a single C program that admits a countably infinite set of CVE-assignable vulnerabilities under MITRE's own CNA counting rules. Why it matters for VDP: the "we found N bugs" metric measures researcher effort and CNA policy, not program health. Exploitation evidence (the thing KEV is now publicly intaking, above) carries far more decision weight than raw counts. See Friends of disclose.io below for the conceptual reframing the paper proposes.
Legal & Researcher Protections
- Bratus and DeSombre Bernsen publish "From Chaos to Capability" on the US offensive-cyber market: Winnona DeSombre Bernsen and Sergey Bratus (Dartmouth, formerly DARPA I2O) published "From Chaos to Capability: Building the U.S. Market for Offensive Cyber" through the Dartmouth Cyber Roundtable in October 2025. The paper draws on interviews with 30 experts across government, venture capital, and the offensive-cyber industry, and asks whether the US should outsource cyber-attack capability to a regulated private sector the way it outsources kinetic capability to defence primes. The argument is back in circulation this week as the policy community absorbs the Cloudflare and Anthropic capability disclosures. Why it matters for VDP: the regulated-offensive-vendor model the paper sketches has direct second-order effects on coordinated disclosure. A formal US offensive-cyber market would create vendors with strong financial incentives against patching, and would put the legal status of independent security research (CFAA, good-faith carve-outs) under renewed pressure. Worth reading in full before the next round of CFAA reform conversations.
Worth Reading
- Project Glasswing: what Mythos showed us (Grant Bourzikas, Cloudflare, May 18) — the operational detail behind the policy framing above.
- From Chaos to Capability: Building the U.S. Market for Offensive Cyber (DeSombre Bernsen and Bratus, Dartmouth, October 2025) — 30 expert interviews on a regulated US offensive-cyber market. Reads differently after Mythos and Glasswing.
- CISA Enhances Known Exploited Vulnerabilities Catalog to Include New Nomination Form (CISA, May 21) — primary-source announcement. Canonical link for your program's disclosure-pathway docs.
- Peter G. Neumann, Who Warned of Computer Security Risks, Dies at 93 (John Markoff, New York Times, May 17) — a tribute worth your full attention regardless of how long you have been in this field.
Friends of disclose.io
Eireann Leverett and Jeroen van der Ham-de Vos: "Vulnerability Abundance"
Eireann (Concinnity Risks, longtime contributor to the disclosure-research community) and Jeroen (DIVD, NCSC-NL, University of Twente) have published a paper that should change how the field talks about counts. "Vulnerability Abundance: A formal proof of infinite vulnerabilities in code" constructs an explicit C program, the "Vulnerability Factory," that admits a countably infinite set of distinct, independently CVE-assignable vulnerabilities under MITRE's own CNA counting rules. The proof is formal, set-theoretic, and checked against the model-checking literature. It is also disarmingly straightforward: you can read the construction and verify it yourself.
The paper's deeper move is conceptual. Leverett and van der Ham-de Vos introduce "vulnerability abundance" as a quantitative analogy to chemical elemental abundance, framing vulnerability classes as a proportional distribution across the global software corpus that varies by language, paradigm, and time. They then anchor the framing in the empirical fact, drawn from prior exploitation-tracking work, that fewer than 6% of published CVEs are ever exploited in the wild. The two ideas together replace "how many bugs does X have" with the more useful "what is the exploitability-weighted vulnerability density of X, and how does it move when we change the architecture."
Key findings:
- A single C program admits a countably infinite set of CVE-assignable vulnerabilities under MITRE rules
- Fewer than 6% of published CVEs are ever exploited in the wild (cited from prior empirical work)
- Vulnerability counts are an artefact of researcher effort and CNA counting policy, not a property of the software
- The useful unit of analysis is exploitability-weighted abundance, not raw count
Eireann has been doing rigorous, plain-language work at the intersection of vulnerability economics and disclosure policy for over a decade, including the cyber-insurance and CVE-counting analyses that fed early disclose.io thinking. Jeroen brings the operational disclosure-coordination view from two of the most consequential coordinated-disclosure shops in Europe — DIVD (the Dutch Institute for Vulnerability Disclosure, where volunteer researchers run mass-notification campaigns on internet-scale vulnerabilities) and NCSC-NL (the Dutch national CSIRT, where coordinated vulnerability disclosure is operational policy, not a hope). This paper is the kind of foundational re-framing the field needs heading into the AI-discovered-vulnerability era. Recommended without reservation.
Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.
Have a tip or want to contribute? Reply to this email, reach out on Bluesky, or drop a comment here.
